Docs » Connect to your cloud service provider » Connect AWS to Splunk Observability Cloud » AWS authentication, permissions, and supported regions

AWS authentication, permissions, and supported regions 🔗

To connect your AWS services to Splunk Observability Cloud you need:

Authenticate in AWS using a security token 🔗

For the GovCloud or China regions, select the option to authenticate using a secure token, which combines an Access key ID and Secret access key you’ll create in your AWS Console.

When you’re creating the new permission for your user and are prompted for an access key practice, select Third-party service.

Required permissions 🔗

These are the required permissions to collect AWS data:

Required permissions in Splunk Observability Cloud 🔗

Regardless of the services you want to use, you need the following permissions:

  • organizations:DescribeOrganization. Only needed when Amazon cost and usage metrics are activated.

  • ec2:DescribeRegions

  • tag:GetResources

Permissions for the CloudWatch API 🔗

Besides the required permissions, include these permissions to allow Splunk Observability Cloud to collect AWS metrics using the CloudWatch API:

  • cloudwatch:GetMetricData

  • cloudwatch:ListMetrics

For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricData",
        "cloudwatch:ListMetrics",
        "ec2:DescribeRegions",
        "organizations:DescribeOrganization",
        "tag:GetResources"
      ],
      "Resource": "*"
    }
  ]
}

Permissions for Metric Streams 🔗

Besides the required permissions, include these permissions to allow Splunk Observability Cloud to collect AWS metrics using CloudWatch Metric Streams:

  • "cloudwatch:DeleteMetricStream"

  • "cloudwatch:GetMetricStream"

  • "cloudwatch:ListMetricStreams"

  • "cloudwatch:ListMetrics"

  • "cloudwatch:PutMetricStream"

  • "cloudwatch:StartMetricStreams"

  • "cloudwatch:StopMetricStreams"

  • "iam:PassRole"

These permissions include the MetricStream phrase and the iam:PassRole permissions. Note the iam:PassRole permission is restricted to resources matching the arn:aws:iam::*:role/splunk-metric-streams* pattern.

For example:

{
"Version": "2012-10-17",
"Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "cloudwatch:GetMetricStream"
      "cloudwatch:ListMetricStreams",
      "cloudwatch:PutMetricStream",
      "cloudwatch:DeleteMetricStream",
      "cloudwatch:StartMetricStreams",
      "cloudwatch:StopMetricStreams",
      "ec2:DescribeRegions",
      "organizations:DescribeOrganization",
      "tag:GetResources"
    ],
    "Resource": "*"
  },
  {
    "Effect": "Allow",
    "Action": [
      "iam:PassRole"
    ],
    "Resource": "arn:aws:iam::*:role/splunk-metric-streams*"
  }
]
}

Permissions for tag and properties collection 🔗

On top of the required permissions, you also need to include the specific permissions for the services you use in your AWS IAM policy to allow Splunk Observability Cloud to collect specific AWS tags and properties. You’ll be able to use Infrastructure Monitoring to filter metrics based on those tags and properties.

These are these permissions to allow Splunk Observability Cloud to collect AWS tags and properties:

  • "apigateway:GET"

  • "autoscaling:DescribeAutoScalingGroups"

  • "cloudformation:ListResources"

  • "cloudformation:GetResource"

  • "cloudfront:GetDistributionConfig"

  • "cloudfront:ListDistributions"

  • "cloudfront:ListTagsForResource"

  • "directconnect:DescribeConnections"

  • "dynamodb:DescribeTable"

  • "dynamodb:ListTables"

  • "dynamodb:ListTagsOfResource"

  • "ec2:DescribeInstances"

  • "ec2:DescribeInstanceStatus"

  • "ec2:DescribeNatGateways"

  • "ec2:DescribeRegions"

  • "ec2:DescribeReservedInstances"

  • "ec2:DescribeReservedInstancesModifications"

  • "ec2:DescribeTags"

  • "ec2:DescribeVolumes"

  • "ecS:DescribeClusters"

  • "ecs:DescribeServices"

  • "ecs:DescribeTasks"

  • "ecs:ListClusters"

  • "ecs:ListServices"

  • "ecs:ListTagsForResource"

  • "ecs:ListTaskDefinitions"

  • "ecs:ListTasks"

  • "elasticache:DescribeCacheClusters"

  • "elasticloadbalancing:DescribeLoadBalancerAttributes"

  • "elasticloadbalancing:DescribeLoadBalancers"

  • "elasticloadbalancing:DescribeTags"

  • "elasticloadbalancing:DescribeTargetGroups"

  • "elasticmapreduce:DescribeCluster"

  • "elasticmapreduce:ListClusters"

  • "es:DescribeElasticsearchDomain"

  • "es:ListDomainNames"

  • "kinesis:DescribeStream"

  • "kinesis:ListShards"

  • "kinesis:ListStreams"

  • "kinesis:ListTagsForStream"

  • “kinesisanalytics:DescribeApplication”

  • “kinesisanalytics:ListApplications”

  • "kinesisanalytics:ListTagsForResource"

  • "lambda:GetAlias"

  • "lambda:ListFunctions"

  • "lambda:ListTags"

  • "rds:DescribeDBClusters"

  • "rds:DescribeDBInstances"

  • "rds:ListTagsForResource"

  • "redshift:DescribeClusters"

  • "redshift:DescribeLoggingStatus"

  • "s3:GetBucketLocation"

  • "s3:GetBucketTagging"

  • "s3:ListAllMyBuckets"

  • "s3:ListBucket"

  • "states:ListActivities"

  • "states:ListStateMachines"

  • "sqs:GetQueueAttributes"

  • "sqs:ListQueues"

  • "sqs:ListQueueTags"

  • "tag:GetResources"

  • "workspaces:DescribeWorkspaces"

Note

Cassandra permissions are declared as a separate object. See the example below.

Add the "<service>:<permission>" pair relevant to each service in the Action array of the AWS IAM policy JSON. For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "apigateway:GET",
        "autoscaling:DescribeAutoScalingGroups",
        "cloudformation:ListResources",
        "cloudformation:GetResource",
        "cloudfront:GetDistributionConfig",
        "cloudfront:ListDistributions",
        "cloudfront:ListTagsForResource",
        "cloudwatch:GetMetricData",
        "cloudwatch:ListMetrics",
        "directconnect:DescribeConnections",
        "dynamodb:DescribeTable",
        "dynamodb:ListTables",
        "dynamodb:ListTagsOfResource",
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeNatGateways",
        "ec2:DescribeRegions",
        "ec2:DescribeReservedInstances",
        "ec2:DescribeReservedInstancesModifications",
        "ec2:DescribeTags",
        "ec2:DescribeVolumes",
        "ecs:DescribeClusters",
        "ecs:DescribeServices",
        "ecs:DescribeTasks",
        "ecs:ListClusters",
        "ecs:ListServices",
        "ecs:ListTagsForResource",
        "ecs:ListTaskDefinitions",
        "ecs:ListTasks",
        "eks:DescribeCluster",
        "eks:ListClusters",
        "elasticache:DescribeCacheClusters",
        "elasticloadbalancing:DescribeLoadBalancerAttributes",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticmapreduce:DescribeCluster",
        "elasticmapreduce:ListClusters",
        "es:DescribeElasticsearchDomain",
        "es:ListDomainNames",
        "kinesis:DescribeStream",
        "kinesis:ListShards",
        "kinesis:ListStreams",
        "kinesis:ListTagsForStream",
        "kinesisanalytics:DescribeApplication",
        "kinesisanalytics:ListApplications",
        "kinesisanalytics:ListTagsForResource",
        "lambda:GetAlias",
        "lambda:ListFunctions",
        "lambda:ListTags",
        "logs:DeleteSubscriptionFilter",
        "logs:DescribeLogGroups",
        "logs:DescribeSubscriptionFilters",
        "logs:PutSubscriptionFilter",
        "organizations:DescribeOrganization",
        "rds:DescribeDBInstances",
        "rds:DescribeDBClusters",
        "rds:ListTagsForResource",
        "redshift:DescribeClusters",
        "redshift:DescribeLoggingStatus",
        "s3:GetBucketLocation",
        "s3:GetBucketLogging",
        "s3:GetBucketNotification",
        "s3:GetBucketTagging",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:PutBucketNotification",
        "sqs:GetQueueAttributes",
        "sqs:ListQueues",
        "sqs:ListQueueTags",
        "states:ListActivities",
        "states:ListStateMachines",
        "tag:GetResources",
        "workspaces:DescribeWorkspaces"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cassandra:Select"
      ],
      "Resource": [
        "arn:aws:cassandra:*:*:/keyspace/system/table/local",
        "arn:aws:cassandra:*:*:/keyspace/system/table/peers",
        "arn:aws:cassandra:*:*:/keyspace/system_schema/*",
        "arn:aws:cassandra:*:*:/keyspace/system_schema_mcs/table/tags",
        "arn:aws:cassandra:*:*:/keyspace/system_schema_mcs/table/tables",
        "arn:aws:cassandra:*:*:/keyspace/system_schema_mcs/table/columns"
      ]
    }
  ]
}

Permissions for log collection 🔗

These are the permissions to allow Splunk Observability Cloud to collect AWS logs. Include those related to your service in your IAM policy.

  • "cloudfront:GetDistributionConfig"

  • "cloudfront:ListDistributions"

  • "cloudfront:ListTagsForResource"

  • "ec2:DescribeRegions"

  • "elasticloadbalancing:DescribeLoadBalancerAttributes"

  • "elasticloadbalancing:DescribeLoadBalancers"

  • "elasticloadbalancing:DescribeTags"

  • "elasticloadbalancing:DescribeTargetGroups"

  • "logs:DeleteSubscriptionFilter"

  • "logs:DescribeLogGroups"

  • "logs:DescribeSubscriptionFilters"

  • "redshift:DescribeClusters"

  • "redshift:DescribeLoggingStatus"

  • "s3:GetBucketLogging"

  • "s3:GetBucketNotification"

  • "s3:ListAllMyBuckets"

  • "s3:ListBucket"

  • "s3:PutBucketNotification"

  • "tag:GetResources"

Permissions for usage collection and reports 🔗

Include these permissions to allow Splunk Observability Cloud to collect AWS usage data and reports:

  • "ec2:DescribeRegions"

  • "organizations:DescribeOrganization"

Troubleshoot AWS permission issues 🔗

In case of any permission-related issue, review your AWS Organization Service Control Policy and the permission boundaries for your IAM entities. Both might impose some limits on the AWS policy Splunk Observability Cloud uses to connect to your AWS account.

Read more at the official AWS documentation:

Supported AWS regions 🔗

If you want to activate a specific optional region, you need to do it before adding it to the integration. Make sure you’ve activated the optional regions you’ll need in your AWS console first. Regular regions are activated in AWS by default.

  • If you’re using the UI guided setup to create the integration, you’ll be prompted to select which AWS regions you work with.

  • If you’re using the API and supply an empty list in an API call, Splunk Observability Cloud activates all regular regions. If you add the ec2:DescribeRegions permission to your AWS policy, optional regions you’ve activated on your AWS account are activated in Splunk Observability Cloud as well. Although empty regions list configuration is possible via the API, it is highly discouraged since it can lead to an unexpected cost increase whenever a new region is enabled on the AWS account.

Note

When you edit an existing integration that was configured with an empty list of regions, the UI guided setup will automatically populate the regions list to include regions enabled on your AWS account if your policy contains ec2:DescribeRegions permission. Otherwise, it will populate the list with all regular AWS regions. If you previously created an integration using the UI guided setup and used the default all regions configuration, it also will get migrated accordingly. This migration will not impact what data we currently collect for any edited integrations.

Splunk Observability Cloud supports the following AWS regions:

Regular 🔗

  • ap-northeast-1: Asia Pacific (Tokyo)

  • ap-northeast-2: Asia Pacific (Seoul)

  • ap-northeast-3: Asia Pacific (Osaka)

  • ap-south-1: Asia Pacific (Mumbai)

  • ap-southeast-1: Asia Pacific (Singapore)

  • ap-southeast-2: Asia Pacific (Sydney)

  • ca-central-1: Canada (Central)

  • eu-central-1: Europe (Frankfurt)

  • eu-north-1: Europe (Stockholm)

  • eu-west-1: Europe (Ireland)

  • eu-west-2: Europe (London)

  • eu-west-3: Europe (Paris)

  • sa-east-1: South America (Sao Paulo)

  • us-east-1: US East (N. Virginia)

  • us-east-2: US East (Ohio)

  • us-west-1: US West (N. California)

  • us-west-2: US West (Oregon)

Optional 🔗

  • af-south-1: Africa (Cape Town)

  • ap-east-1: Asia Pacific (Hong Kong)

  • ap-south-2: Asia Pacific (Hyderabad)

  • ap-southeast-3: Asia Pacific (Jakarta)

  • ap-southeast-4: Asia Pacific (Melbourne)

  • eu-central-2: Europe (Zurich)

  • eu-south-1: Europe (Milan)

  • eu-south-2: Europe (Spain)

  • me-central-1: Middle East (UAE)

  • me-south-1: Middle East (Bahrain)

GovCloud 🔗

  • us-gov-east-1: AWS GovCloud (US-East)

  • us-gov-west-1: AWS GovCloud (US-West)

China 🔗

  • cn-north-1: China (Beijing)

  • cn-northwest-1: China (Ningxia)